The challenge of trundling forward with Kerberos integration.

Andrew Bartlett abartlet at samba.org
Sun Jun 12 03:23:15 EDT 2005 

On Sat, 2005-06-11 at 16:45 -0500, g.w at hurderos.org wrote:
> Good day to everyone, I hope the weekend is going well or the week is
> starting well depending on when you read your mail.

> With that said I understand the reasoning on which Tridge and company
> made their decision to move forward.  Our concerns with the direction
> of Samba4 are more in its general goal of trying to clone AD with its
> resultant architectural and potential IP problems.

Just responding to this point first, because we need to be rather clear
on the point.  We are not trying to 'clone' AD (in particular, there is
no aim at duplicating the internal structure), and while a goal of
Samba4 is to implement management and logon protocols used in AD, the
server-side design is quite different. 

The closely integrated KDC is not that way 'because Microsoft did it
that way' (their KDC is different again), but for other reasons:

 - A more global design decision was taken describing how Samba4 would
operate as a unix service (as a single binary, providing all integrated
services)
 - Because of the pain in doing portable dlopen() based plugins
 - Because of the close integration between the protocols we support
forced a common backend, and above two points clearly suggested a direct
linking.
 - Because it must 'just work', without the admin every knowing what
kerberos is.  

In the long term, I see optional integration with other kerberos
projects as a viable and valuable option, but I'm keen to finish the
current KDC, and gain some real world experiences before I send
developers on wild goose chases for features we may find we actually
can't use.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050612/9a6f3876/attachment.bin

More information about the krbdev mailing list